What does cyber resilience strategy mean?

This blog post explores the evolution of IT security into a broader, more strategic concept known as cyber resilience. It highlights how traditional security approaches have evolved from trying to prevent every attack to preparing for potential breaches. Drawing on insights from military strategy and financial institutions, the article introduces the concept of “Left of Bang”—a proactive mindset that encourages planning, training, and response before a cyber-attack occurs. It emphasises the importance of board-level engagement through training, oversight, and exercises, reframing cyber threats as business risks rather than just technical issues. Ultimately, the article urges organizations to adopt a forward-thinking strategy that empowers leadership to act decisively and recover swiftly when cyber threats strike.

Background

To understand cyber resilience strategy it helps to look back at how IT Systems Security has evolved. In the early days of computing, system security depended on the physical protection of the facilities housing the hardware. Typically, early computers were in a data centre or a computer room with a locked door.

As technology advanced and computer systems became more widely used, it became essential to manage user access and maintain detailed records of system activity. The advent of the internet marked a pivotal shift, connecting computers to a global network and introducing unprecedented and unforeseen security challenges. The risks were not fully understood by both defenders and hackers. As new threats emerged new security technologies were developed such as firewalls, network filtering and email access gateways. During this time security professionals were all still trying to achieve 100% security through the careful design and application of our new security technologies.

What is Cyber?

The term ‘cyber’ has evolved over time, originating from the concept of ‘cyberspace’ in early science fiction and later adopted in policy and security contexts. While once associated with futuristic narratives, it now represents a critical domain of national and corporate security. The word has its roots in the William Gibson novel Burning Chrome and films such as Terminator and Blade Runner.

In May 1998 The US Presidential Decision Directive 63 (PDD-63) was published. This government document from the US administration was ground-breaking and uses phrases such as cyber-based, cyber-attack and cyberspace. It’s an example of the earliest use of the terminology in the US.

In 2009 the first UK Cyber Security Strategy was published.  Prior to 2009, UK agencies typically used the terms ‘IT Security’ or ‘Information Security.’ The 2009 strategy marked a significant shift in terminology, introducing ‘Cyber Security’ to enhance public understanding and engagement through more accessible language. The new term arguably made IT Security and Information Security sound futuristic and more interesting. Cyber Security was now in the mainstream in the UK and the media stories soon followed.

What is cyber resilience?

By the early 2000s, it became increasingly evident that achieving absolute security in internet-connected systems was aspirational rather than attainable.

In January 2015 the Bank of England published an article on Cyber Resilience: A financial stability perspective.

A key passage from the report reads “We should not expect to build an impermeable perimeter that, through technology design, will withstand attack. Rather we should expect the cyber threat to be ever-present, ever-evolving and networks to be penetrated. The capability to identify where this has occurred and to respond is key.”

For the time it was courageous to say it but there is no such thing as 100% cyber security and to consider and plan for incident management and recovery. This has become more critical as ransomware has become more prevalent, and firms are being hacked and held to ransom almost daily.

Proactive Incident Planning (‘Left of Bang’)

A cyber resilience strategy focuses on anticipating major incidents, minimizing their impact, and accelerating recovery. The concept of ‘Left of Bang’, borrowed from military strategy, encourages organizations to assume that a cyberattack is inevitable and to proactively plan their response in advance.

Left of Bang is a military concept or tactic that was developed out of the US Marine Corps Combat Hunter Program that was introduced in 2007 during the Iraq War. It was originally developed to help the US military with specialised training and enhanced situational awareness. In short, instead of waiting for an attack to happen, assume it will—and plan and act in advance.

Adopting this approach reframes cybersecurity from a purely technical concern to a strategic business risk, requiring active oversight and decision-making at the board level.

Why is cyber resilience strategy important?

When you have this mind set you can either wait for an incident to affect you – this is what lots of firms do. Alternatively, you can ‘move activities left of bang’ and take the initiative and put yourself in an advantageous position. As an example, the client communications for a breach can be drafted for you in advance so that you don’t need to do it all when you are under stress of a major incident. The same goes for how the technical team communicates with the board during an incident and who is responsible for what. While these actions are straightforward, many organizations fail to allocate the necessary time and resources to implement them thoroughly.

Here are some challenging questions for the board:

• How will the board communicate with each other when the systems are all compromised?
• Are up-to-date, non-corporate contact details for all board members readily accessible in the event of a system-wide compromise?
• Do you have the Cyber Resilience Plan printed out on paper?
• Who are your most important business partners, clients and regulators that you will need to inform?

This shift in mindset—from treating cyber threats as technical problems to viewing them as strategic business risks—enables you to anticipate issues and act proactively, ‘left of bang.’

Three Cyber Resilience Strategy themes

To achieve cyber resilience organisations are encouraged to ensure boards receive formal training on cyber resilience strategy, how to exercise oversight over cyber security and to test their skills and capabilities through table-top exercises.

A.     Board level cyber resilience strategy training

Boards should participate in annual cyber resilience training that goes beyond basic security awareness. These sessions are designed to deepen strategic understanding and challenge directors to apply their knowledge to real-world scenarios involving cyber risk and recovery.

B.     Board level cyber security oversight

It is important that all boards have complete oversight over cyber security. This means having regular updates on the situation and presentations from the responsible managers. It also includes those responsible for compliance, audit and third parties used to assess security. It is critical that boards receive different perspectives on cyber security to give them a fuller and richer picture of their cyber security posture.

C.     Board level cyber resilience strategy exercises

Cyber resilience strategy exercises typically span half a day and involve collaboration between board members, senior executives, and relevant technical teams to simulate and respond to cyber incidents. The purpose of the exercise is to:

1. Ensure roles and responsibilities are understood
2. Check to ensure documentation and playbooks are available
3. Verification of contact information
4. Identify gaps and misunderstandings

During the exercise the coordinator will make observations that will guide future cyber resilience strategy training and cyber security oversight. The observations are designed to improve the cyber resilience plan going forward and provide the participants with feedback to help them grow and improve their cyber resilience skills.

How IT Security Locksmith can help

Whether you're a small start-up or a global enterprise, IT Security Locksmith offers tailored support to help you navigate today’s digital threats and build resilience for tomorrow. Led by Jonathan Evans—former Head of Global IT Security at Rothschild & Co—the consultancy brings over 30 years of hands-on experience in cybersecurity, IT resilience, and cryptanalysis.

As your Trusted Advisor, we provide confidential, board-level guidance to help leadership teams understand their role in cybersecurity and digital operational resilience. Our services include:

• Board-Level Cyber Resilience Training: Delivered virtually or in person, these sessions challenge executives to think strategically about cyber threats and recovery planning.
• Tabletop Exercises: Realistic simulations that test your organisation’s response to major incidents, helping identify gaps and improve coordination.
• Consultancy and Strategic Advice: From ransomware and insider threats to regulatory compliance, we offer expert insights and practical solutions tailored to your business.

We understand that cybersecurity can be complex and intimidating. That’s why we provide a safe, confidential space for business leaders to ask questions, explore solutions, and build confidence in their cyber resilience strategy.

#CyberSecurity #CyberResilience #Ransomware #DORA #DigitalResilience

About IT Security Locksmith

We are a specialist UK consultancy that aims to help small, medium and large firms, if you need assistance on any of these or similar subjects please get in touch.

Learn more about our board-level training and consultancy → [About Us]

Explore our full range of cyber security services → [Our Services]

Book your free initial consultation today → [Contact Us]